KQL: One Successful login followed by X failed login in Y time period for same user

Copper Contributor

Hello, 

 

I am new to KQL, and struggling to find the best option to build the query for One successful login followed by X failed logins in Y time period for same user.

 

The scenario is user tried to do password guess for Y times and succeeded and a successful login was triggered and the whole scenario is time boxed. 

 

Any suggestion will be appreciated. 

 

I did find almost similar query "https://stackoverflow.com/questions/54041200/azure-log-analytics-monitoring-successful-sign-ins-foll... but this does not check if successful login came after failed. 

 

Thanks in advance. 

0 Replies